THE COST OF COMPROMISED CREDENTIALS

February 28, 2017

The most common credentials are a combination of username and password, but those have lost a good bit of their protective powers. Next-generation credentials also are edging toward a precarious place. Here’s what you need to know about the dangers of compromised credentials and how to mitigate those risks.

The speed of work these days puts enormous pressures on InfoSec, IT and workers alike to rush the credentialing process. Employees, contractors and even vendors are rapidly credentialed with little attention given to security rules such as limiting access per job roles, enforcing secure passwords, and immediately revoking credentials after an employee moves on. These are but a few of the dangers that lead to compromised credentials.

When passwords and usernames linger long after an employee, contractor or vendor relationship has ended, criminals get to choose from a smorgasbord of credentialed identities with which to phish employees and even top executives.

And when automated systems render short, ineffective password choices or, conversely, overly long ones that users must write down to remember, they end up compromised quickly. Add to that any password sharing practices and security shortcuts during sign-ons (such as storing a password in a browser) and things get more precarious. Yet, all of this is common.

Unfortunately, PINs and tokens can fall prey to shoddy security practices as can several of the next-generation credentialing protocols. This means the cost of data breaches will continue to escalate.

Per the Ponemon Cost of Data Breach 2016 report, the average cost of a breach has jumped to over $4 million per incident. That’s a 29 percent increase since 2013 and a 5 percent increase since last year. But this staggering figure doesn’t include damages to brand reputation, customer confidence, an executive’s career, or other related costs in damages or recovery.

Fortunately, companies can mitigate risks and regain control.

Policy makes better practice

The key to making effective policy is to consider the work processes and stagger the credential processes to fit. For example, a password may suffice for access to public-facing information with no transaction, identifying or sensitive information. These passwords should still be encrypted and protected, but they shouldn’t slow down the user.

On the other end of the spectrum, where access to highly sensitive information is needed, stronger, more complex passwords and security layers such as biometrics, cryptographic keys or out-of-band confirmation codes can be added.

The point is to match the security measures to the actual risk. But you also want to make your policy workable in the real world.

Consider asking users to think of a long sentence that means something to them and capitalize every second, third, fourth or other letter in every word. They also should use at least one symbol.

Also, it is a good idea to involve business users and executives in the policy development so that what you end up with is workable for all parties. This means better adoption and adherence.

Adding security tech, services to your arsenal

It’s important to not only use strong credentials, but to associate known behaviors with those credentials. If for example, you know that Bill comes to the office on Tuesdays and Thursdays but works remotely the rest of the week and that he routinely accesses certain types of files, it becomes much harder for a criminal to use Bill’s compromised credentials undetected

Fortunately, security services can handle all of these issues. However, not all security services are created equal.

Differences in threat intelligence

One of the key areas that differentiates security services is threat intelligence. But that’s a broad term and the services offered may be unclear, so it pays to dig deeper for a better understanding.

For example, some security vendors rely heavily on Open Source Intelligence (OSINT) data that is publicly available and sometimes unverified. While there is value in shared threat information, it is difficult to authenticate and evaluate the threat when there is insufficient or unverified information available.